Method and apparatus for access to a computer unit

ABSTRACT

A computer unit ( 10 ) arranged to establish contact between itself and a centralized server ( 12 ), in where the computer unit comprises means to establish a networked connection ( 22 ) with said server ( 12 ), and wake up means in case the computer unit is in an off or sleeping state, and optionally if the computer unit is on. The computer unit ( 10 ) comprises or is connected to a mobile unit that is active whether the computer unit is in off, in hibernation or sleeping state, or on state, and in where the mobile unit is adapted to receive a unique request from the server ( 12 ), via a mobile telecommunication connection ( 20 ), and if the request is identified as genuine, the computer unit ( 10 ) is adapted to establish a new and separate networked connection ( 20; 22 ) to the server ( 12 ).

The present invention discloses a computer unit and method arranged to establish contact between itself and a centralized server, in where the computer unit comprises means to establish a networked connection with said server, and wake up means in case the computer unit is in an off state, hibernation or sleeping state, and optionally if the computer unit is on.

BACKGROUND OF THE INVENTION

The present invention further concerns a procedure to establish contact between a computer and a central server, where the computer incorporates equipment for Wake on LAN (may also be called Wake on WAN, Wake on MAN and other similar terms, but we will be using WoL as a term) and to establish a networked connection to the said server.

The idea behind the invention is to develop a program and equipment that centrally services and gives PC or other computer unit's support for different market segments (Private, SOHO (Small Office Home Office) to EMB (Enterprise Medium Business) and the Enterprise market). A big proportion of this market (up to the EMB segment) has little or no PC support, but is still increasingly dependent on its IT-infrastructure in its everyday business. The solution may also be scaled up to the Enterprise market though, as there are user areas for this invention in a situation where the workforce becomes increasingly mobile.

This invention takes full control over the user/company's computers. In other words—the user uses his or her computer as usual, but all maintenance and backup is managed centrally without the active aid of the user and without any reduction in usability or performance. This system will—with regards to the invention—be able to service all kinds of computers, such as desktop, workstations, laptops and servers, even computers and devices incorporated in cars, boats, ships, cranes, or other kinds of built-in computers/devices. The invention must not be confused with a traditional ASP (Application Service Provider) solution based on thin client technology. The invention can be used wherever, exemplified by: In the office, in a hotel, or at home. The computer will be 100% maintained even when being on vacation, travel or in the office. This enhances the usability, and a company would save money, time and resources by using this invention, something that without a doubt will make the user and the company more efficient.

As an example, if the user has a virus that prevents the computer or device from starting up or in other ways malfunction seriously (the user may contact the helpdesk, or in many cases—the computer can contact the servers itself to get help), the system will be able to access the computer in question and service it all the way to the BIOS level (hardware level) if necessary without the need for an operating system like Windows being started, analyze the problem and perform the tasks needed to correct the problem and restore the usability of the computer. The control of the computer will then be handed back to the user.

US 20050166313 A1 describes a procedure to access a computer with Wakeup messages through the NIC (Network Interface Card), and describes how one through the network card can change data in BIOS, that again is stored in flash memory, and that BIOS gets new instructions so that an executable code is made.

US20080028053 A1 describes “Wake on LAN” (WoL) with control information that enables the boot of a computer through other equipment. It also describes how IT personnel may administer virus scans and do other maintenance tasks with a computer that is initially shut off, e.g. during the night hours. It also describes how the network card can be checked during normal boot to ensure that updated system information can be processed as a result of WOL-processing.

US20050086460 A1 describes WOL with BIOS and application in relation to three statuses: running mode, sleeping mode, abnormal off state, as well as to retrieve logs.

U.S. Pat. No. 6,421,782 B describes WOL established using a supplemental LAN-adapter in a docking station providing secure access.

“Technical disclosure” titled “A method and apparatus for Sleep on LAN”, from IBM with IP.COM Nr IPCOM000173706D describes a function called Sleep on LAN, however it uses network cards to access different sleep functions listed with S1-S5 by addressing the computer with MAC address, IP address, Group tags or Magic Packet. Wake on LAN is mentioned, and PNP BIOS.

None of the above mentioned documents mentions use of a mobile service to “wake up” the computer, or by using mobile broadband where the mobile part provides the networked connection even if the computer is in an off state.

It is an object of this invention to provide a solution that gives secure user support for computer units regardless of their physical location, and where the computer unit itself establishes a secured connection to an external server or another computer unit.

SUMMARY OF THE INVENTION

The above mentioned object is achieved by a computer unit as defined in the independent claim 1, wherein the computer unit comprises or is connected to a mobile unit that is active whether the computer unit is in an off state, hibernation or sleeping state (or similar), or on state, and in where the mobile unit is adapted to receive a unique request from the server, via a mobile telecommunication connection, and if the request is identified as genuine, the computer unit is adapted to establish a new and separate networked connection to the server.

Alternative embodiments of the computer unit are specified in respective dependent claims.

The mobile unit can be arranged to be connected via the mobile telecommunication connection as a service comprising GSM, TDMA, CDMA, PDC, PHS, 3G, HSDPA, WiMAX, Wifi or similar technologies.

Pre-programmed information about establishment of said network connection with the server can be stored in a secure way in the computer unit's hardware, such as e.g. TPM chip. The computer unit can upon receipt of the request be arranged to break the connection and to set up a new connection to address or addresses programmed into said storage in the computer unit's hardware, in order to direct external communication to no other destinations than the stored ones.

Alternative, the computer unit upon receipt of the request is arranged to reject the connection, and if the request is identified as genuine, to set up a new connection to address or addresses pre-programmed into said mobile unit, in order to direct external communication to no other destinations than the stored ones.

Further, the motherboard of the computer unit can be locked when the computer is in an off state, and/or that the main storage for user data (HDD/SSD or similar) can be similar locked, and/or that the user data can be encrypted.

The computer unit can be a PC, notebook, server or part of a server farm, or installed in any vehicle, ship, or other computerized equipment.

In an alternative embodiment the computer unit can comprises equipment for Wake on LAN (WoL) and to establish said networked connection with the server, in where the mobile unit is active even if the computer unit is in an off state, as the mobile unit is adapted to receive a telephonic request from the server via the mobile telecommunication connection, such as 3G, HSDPA, Wifi or similar, and if the request is identified as genuine, the computer unit is arranged to establish a new and separate networked connection to the server.

Said object is also achieved by a method as defined in independent claim 9, comprising the following steps:

-   -   to send a mobile based request to the computer unit from the         server, via a mobile telecommunication connection, containing a         unique identifier,     -   to receive the request by a mobile unit in the computer unit,         whereupon the request is being identified, and     -   the computer unit is establishing a new and separate network         connection to the server, if the request is identified as         authentic, otherwise the request is denied.

Alternative embodiments of the method are stated in respective independent method claims.

All requests are preferable being rejected, even though the request is identified as authentic.

Information regarding the networked connection with the server is being stored in the hardware of the computer unit.

The initial request can for security reasons be rejected, whereupon the new connection is established, if the request is identified as genuine.

For the same reason, the unique identifier can be a caller-ID, or other unique identifiers on mobile networks, such as IMSI (International Mobile Subscriber Identity), MSIN (mobile station identification number) or other similar/future technologies.

The request can be a digital, analog or voice signal based upon wireless telecommunication.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention shall now be described by the enclosed figure, in where

FIG. 1 is showing a diagram of a system using the invention.

FIG. 2 is showing a chart of the principles used.

DETAILED DESCRIPTION OF EMBODIMENTS

The figure shows a computer unit 10 that can be connected to the internet 14 through a networked connection 22, a server 12 that similarly can connect to the internet 14 through a networked connection 22, and a mobile telecommunication line 20 that can communicate with the computer unit 10 and the server 12, via for instance a telecommunication line 21 or corresponding connection. Initial connection or call-up to the computer is established using the telecommunication connection 20, while the establishing of a connection between the computer 10 and server 12 may run either through the networked connection 22 or line 20, depending on the coverage of cabled and mobile broadband connections.

The man skilled in the art will understand that the server can be a server farm or other control unit, as desired. Further, the server must also be understood to be able to be another computer unit, such as a PC, notebook, etc., and is the unit which initiates the connection, but for ease of understanding the term “server” is used in the specification and in the patent claims. Telephonic request can further be a digital, analog or voice signal.

To enable backup or support the computer 10 one is dependent on being able to reach the computer regardless of location, and to achieve this in the best way the computer will be equipped with or connected to a mobile broadband unit (3G/HSDPA or similar/future technologies) communicating through the telecommunication connection 20. This will be adapted so that the mobile unit in or connected to the computer 10 is on even if the computer in itself is turned off (WoL), hibernation or sleeping state (or similar), or on. Included in the solution are automated processes to prevent aging such as system optimizing programs, removal of excess files, defragmentation, and registry cleanup. This may vary depending on operating system, configuration and technical advances in the future. Furthermore this enables the usage of hidden partitions on the storage unit to devise quick help in the case of serious problems. Examples may be a complete image of the system partition or a small image of the files that most frequently are corrupted or infected. Other tasks and processes may be added over time, and the mentioned are only examples illustrating some of the purpose and effect of the invention.

The mobile unit can be integrated with the computer unit, or the mobile unit may be a separate unit which can be connected to the computer unit by for instance a USB connection, Infrared (IR) or Bluetooth.

The mobile telecommunication connection can be a service comprising GSM, TDMA, CDMA, PDC, PHS, 3G, HSDPA, WiMAX, Wifi or similar technologies.

Support will of course work as a point of contact between the customer and the service no matter what the problem may be. The support centre will have servers 12 that are used during the servicing of the computer 10, and will be independent of the user in order to connect to the computer and perform proactive support such as virus scans, anti ageing measures, backup or other tasks or reactively help users with problems such as a computer that refuses to start.

Technical description of security:

1. Secured local computer—example of highest security level:

-   -   a. For purposes such as backup, system maintenance etc; this may         be initiated from the outside by the server sending a request to         the computer by means of a unique identifier (such as for         instance a phone number or any other technology offering a         unique identifier over an open mobile network) through a mobile         telecommunication service to the computer equipped with a mobile         communications device like GSM, TDMA, CDMA, PDC, PHS, 3G, HSDPA,         WiMAX, Wifi or similar and future technologies. The request is         received by the mobile receiver, i.e. the mobile unit, in or         connected to the computer, where the request is identified (e.g.         stored in the TPM chip), and if the identification is a match,         the computer unit rejects the call and sets up a new connection         to the server using the networks available to it. By doing this         it will be impossible to manipulate the communication and         redirect the traffic.     -   b. All communications with the server farm etc. can be         encrypted.     -   c. Mother board is locked when the computer is in an off state.     -   d. The storage device(s) (HDD, SSD etc. . . . ) are locked when         the computer is in an off state.     -   e. The storage device(s) or user data areas are encrypted.     -   f. Login to the computer is secured by using biometric devices         (such as fingerprint, face recognition etc. . . . )     -   g. The computer may be marked with a special label (e.g.         “extremely secured computer” or similar) as well as other         visible and hidden markings to discourage theft as well as         tracking devices either built in or separate.     -   h. The administration level will be locked to reduce risk.     -   i. Frequent backups of changes (even continuous) to minimize         risk of data loss if the computer is lost or stolen, with logs         and alarms if backup isn't performed as scheduled.     -   j. Functions for the removal of threats as for example spyware,         adware, virus and other threats varying over time, system         maintenance and system rejuvenation may be run automatically and         logged back into the system.

One or more of the functions a-j can be omitted in case a lower security level is desired. Or additional functions can be amended.

The uniqueness of the solution is mainly two things:

-   -   1. By using a mobile telecommunication technology (such as GSM,         TDMA, CDMA, PDC, PHS, 3G, HSDPA, WiMAX, Wifi or similar and         future technologies based on the same principle) with a unique         identifier (such as a caller-ID, or other unique identifiers on         mobile networks) no matter where the computer is located. The         only prerequisite is that there is a connection available where         the computer is located.     -   2. By contacting the device as described, this enables you to do         a WoL if the device is in an off state, hibernation state or         sleeping state (or similar). This means that by using open         mobile technologies it can be initiated safely even if the         computer is behind a firewall/router or other screening devices         that formerly made it impossible to localize and maintain         computers with initiation from the server farm (e.g. because of         NAT'ing or refusal of connections initiated from the outside).

By using these two features in combination it enables the company to reach, maintain and/or do other tasks with their computers or devices regardless of their geographical location or what networks they are on. This may apply for hotels, at home, visiting other companies etc.

In order to establish a secured connection through WoL, using mobile networks or similar technologies, there will be the following prerequisites (note that not all are mandatory):

-   -   When the computer or device is contacted through mobile/3G or         similar services uniquely, the computer will check the         credentials in a safe storage area in hardware to find a match         (for instance in safe storage in the TPM chip). If it is         matched, the connection will be rejected. Other similar means of         ensuring the safety may in time be applied here as technology         evolves.     -   The computer or device understands that it needs to “call home”         and searches again in its safe storage as described above to         find out where to connect. There may be multiple addresses         stored as alternatives if one is inaccessible. The computer or         device will then as needed start the available communication         devices and search for the quickest connection back to the         server farm and set up the connection.     -   This connection will be set up using an encrypted method (e.g.         VPN encrypted tunnelling), thus ensuring that the communication         is secure.     -   If the connection is started before any operating system is         started, it is a prerequisite that the hardware supports such         encrypted communications.     -   This means that the initiator will not have access to the         computer at any point unless the computer itself calls back to a         predefined address using an encrypted and adequately secured         line.     -   The address(es) for this is stored securely in hardware (e.g.         TPM chip or similar/future technologies) which is locked and         encrypted, inaccessible from the outside or if needed even by         the user.

In summary: Sending a request to a computer or device (e.g. the same way a number is presented on a mobile when someone calls). Checking the caller in safe storage (e.g. like the mobile phone searches the contact list to find a match). Rejecting the caller and setting up a secured connection to one or more locations (e.g. with alternative numbers as you have in your contact list) using available connections to predefined address(es) where the address cannot be manipulated by others or by the user.

Although an exemplary description of the invention has been set forth above to enable those of ordinary skill in the art to make and use the invention, that description should not be construed to limit the invention, and various modifications and variations can be made to the description without departing from the scope of the invention, as will be understood by those with ordinary skill in the art, and the scope thereof is determined by the claims that follow. 

1. A computer unit (10) arranged to establish contact between itself and a centralized server (12), in where the computer unit comprises means to establish a networked connection (22) with said server (12), and wake up means in case the computer unit is in an off or sleeping state, and optionally if the computer unit is on, wherein the computer unit (10) comprises or is connected to a mobile unit that is active whether the computer unit is in off, in hibernation or sleeping state, or on state, and in where the mobile unit is adapted to receive a unique request from the server (12), via a mobile telecommunication connection (20), and if the request is identified as genuine, the computer unit (10) is adapted to establish a new and separate networked connection (20; 22) to the server (12).
 2. A computer unit in accordance with claim 1, wherein the mobile unit is arranged to be connected via the mobile telecommunication connection as a service comprising GSM, TDMA, CDMA, PDC, PHS, 3G, HSDPA, WiMAX, Wifi or similar technologies.
 3. A computer unit in accordance with claim 1, wherein pre-programmed information about establishment of said network connection (20; 22) with the server is stored in a secure way in the computer units hardware, such as e.g. TPM chip.
 4. A computer unit in accordance with claim 3, wherein the computer unit (10), upon receipt of the request, is arranged to reject the connection, and if the request is identified as genuine, to set up a new connection to address or addresses programmed into said storage in the computer units hardware, in order to direct external communication to no other destinations than the stored ones.
 5. A computer unit in accordance with claim 1, wherein the computer unit (10), upon receipt of the request, is arranged to reject the connection, and if the request is identified as genuine, to set up a new connection to address or addresses pre-programmed into said mobile unit, in order to direct external communication to no other destinations than the stored ones.
 6. A computer unit in accordance with claim 1, wherein the motherboard of the computer unit (10) is locked when the computer is in an off state, and/or that the main storage for user data (HDD/SSD or similar) is locked in the same manner, and/or that the user data can be encrypted.
 7. A computer unit in accordance with claim 1, wherein the computer unit (10) is a PC, notebook, part of a server, or installed in any vehicle, ship, or other computerized equipment.
 8. A computer unit in accordance with claim 1, wherein the computer unit (10) comprises equipment for Wake on LAN (WoL) and to establish said networked connection (22) with the server (12), in where the mobile unit is active even if the computer unit is in an off state, as the mobile unit is adapted to receive a telephonic request from the server (12) via the mobile telecommunication connection (20), such as 3G, HSDPA, Wifi or similar, and if the request is identified as genuine, the computer unit (10) is arranged to establish a new and separate networked connection (20; 22) to the server (12).
 9. Method to establish contact between a computer unit (10) and a centralized server (12), in where the computer unit comprises wake up means in case the computer unit is in an off or sleeping state, and optionally if the computer unit is on, and which is arranged to establish a networked connection (22) with said server (12), wherein said method comprises the following steps: to send a mobile based request to the computer unit (10) from the server (12), via a mobile telecommunication connection (20), containing a unique identifier, to receive the request by a mobile unit in or connected to the computer unit (10), whereupon the request is being identified, and the computer unit (10) is establishing a new and separate network connection (20; 22) to the server (12), if the request is identified as authentic, otherwise the request is rejected.
 10. Method in accordance with claim 9, wherein all requests are being rejected, even though the request is identified as authentic.
 11. Method in accordance with claim 9, wherein information regarding the networked connection with the server is being stored in the hardware of the computer unit.
 12. Method in accordance with claim 9, wherein the initial connection for security reasons is terminated, whereupon the new connection is established, if the request is identified as genuine.
 13. Method in accordance with claim 9, wherein the unique identifier is a caller-ID, or other unique identifiers on mobile networks.
 14. Method in accordance with claim 9, wherein the request is a digital, analog or voice signal based upon wireless telecommunication. 